Perhaps the XSS flaw is nothing to be worried about. Perhaps passwords really are adequately protected. But from all the evidence we have, both the website vulnerability and the poor password practices are far from safe. At the very least, Tesco can improve in both areas.

Here is a little recap of what’s wrong with Tesco security. First off, it appears Tesco is sending passwords to users in plain text. That’s not good. If they are being sent in plain text, it means anyone with malicious intent who is able to intercept customers’ emails won’t have to bother with decrypting anything to access that person’s Tesco account. More worryingly, it indicates Tesco isn’t hashing or salting its passwords at all, storing them in plain text. That means there’s a database somewhere that hackers are salivating over.

Head stuck in the sand

Why can’t Tesco speak out on this? Its silence is of serious concern. If companies as big as LinkedIn can say ‘hey, we messed up by not hashing and salting passwords, but we’ll do it from now on’, why can’t Tesco tell us how it is protecting its users’ login details? There is no harm in being transparent here, but, whether because of the siloed nature of Tesco’s business, poor communication or just plain old incompetence, the supermarket giant remains quiet.

It is just as tight-lipped about the XSS vulnerability on the site, which could allow hackers to get hold of user account IDs if they were able to trick a logged-in user into clicking on a link. It might seem like hackers would have a slim chance of finding logged-in users and then duping them, but anyone who ‘gets’ security knows how crafty mischievous Web users can be.

I have disclosed all of the relevant information to Tesco, including details on what the weakness is and how it could be exploited. I was told the information would be passed on to the relevant people. But I have had nothing official in return, other than this canned comment: “We know how important Internet security is to customers and the measures we have are robust. We are never complacent and work continuously to give customers the confidence that they can shop securely.” Pah!

Hunt told me he “might have actually made some progress with some real technical people” but he was “not expecting miracles”. As expected, the miracles never materialised. Even a typically histrionic piece in the Daily Mail hasn’t made it through Tesco’s impenetrable earmuffs.

What happens now? I can do little more. In an ideal world, Tesco would read this piece, and all the other negative articles about its security practices, and enact immediate change. But, again, that seems rather unlikely, even though both the website vulnerability and the password issues are very simple to rectify. Everything appears to move at a rather glacial pace over there…

Researchers might be able to go further, however. Whereas I am unwilling to make the vulnerability public, others may have a more flexible conscience. If the XSS vulnerability is made known to hackers, they will use it and they will succeed in defrauding Tesco and its customers. That would be tragic – but might at least have the benefit of waking Tesco up from its slumber and forcing it to fix the manifold problems with its IT security.

It would, of course, be preferable for customers to start kicking up more of a fuss. Tesco is fairly active on Twitter, so anyone who does care about keeping their account secure should start venting their frustration on that channel, or over Facebook, or however they wish. The pressure could and should pay off.

Today’s datacenter environments run a majority of their business-critical applications on x86 servers. Thus, partnering with vendors that are investing in x86 technologies with an emphasis on services to keep those mission-critical workloads running will be essential for enterprises for the foreseeable future. One of the major differences IDC sees in the x86 server market […]

Small and midmarket organizations depend on their data as much as large enterprises depend on theirs—but the right tools for protecting a smaller organization’s data are not enterprise tools with reduced feature sets and price tags. Organizations of all sizes need to understand their exposure caused by mediocre protection, and then utilize “right-sized” technologies that […]

Shifting SMB IT and Storage Requirements This report describes how the HP Simply StoreIT program and HP MSA Storage can help small and midsized businesses (SMBs) reduce costs and improve operations by quickly and easily adding storage that is optimized for server virtualization to their IT infrastructure deployments.

You are likely faced with both increasingly demanding users and increasingly complex infrastructure requirements. At the same time, you are probably being asked to reduce IT costs without the help of added headcount. Are there times when this feels like an impossible mission?

Example:
Make a request to see security camera footage from one of your visits to Tesco. Also ask who else get to see that data and who do they share or sell that data on to. I’m specifically talking about Security Video footage.

Result:
They will reply to your requests with:

– Please send us your Club Card details.

This is obviously silly. How are Club Card details going to help with security camera footage but this is what I mean by: template-email

I did this because I was curious as to why every time I entered Tesco stores I constantly found security guards following me.

I shop at Lidl’s now

My point is: Tesco see themselves as an immovable object and sorry to tell you this but whatever you write on this web page, it will not bother Tesco one little bit because it wont-even effect their profits in the most-minuscule way.

Why does everyone stress at security systems we couldn’t live without them now how many crimes have been solved and quicker with them.I personally feel much safer for them being around just go about your business if you are doing nothing wrong you have nothing to worry about.